From 8911b04077797b11441598b10817e564b8be3479 Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Thu, 16 Apr 2015 15:33:32 -0600 Subject: [PATCH] DetectGidSet - safer stripping of quotes. Discovered by AFL when using a rule like: alert tcp any any -> any any (content:"ABC"; gid:";) resulting a negative array index. --- src/detect-gid.c | 40 ++++++++++++++++++++++++++++++++++------ 1 file changed, 34 insertions(+), 6 deletions(-) diff --git a/src/detect-gid.c b/src/detect-gid.c index b25dc01579..3a36d7bc65 100644 --- a/src/detect-gid.c +++ b/src/detect-gid.c @@ -71,13 +71,15 @@ static int DetectGidSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr) char *str = rawstr; char dubbed = 0; - /* strip "'s */ - if (rawstr[0] == '\"' && rawstr[strlen(rawstr)-1] == '\"') { - str = SCStrdup(rawstr+1); - if (unlikely(str == NULL)) + /* Strip leading and trailing "s. */ + if (rawstr[0] == '\"') { + str = SCStrdup(rawstr + 1); + if (unlikely(str == NULL)) { return -1; - - str[strlen(rawstr)-2] = '\0'; + } + if (strlen(str) && str[strlen(str) - 1] == '\"') { + str[strlen(str) - 1] = '\"'; + } dubbed = 1; } @@ -160,6 +162,31 @@ end: DetectEngineCtxFree(de_ctx); return result; } + +/** + * \test Test a gid consisting of a single quote. + * + * \retval 1 on succces + * \retval 0 on failure + */ +static int GidTestParse03 (void) +{ + int result = 0; + + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + if (DetectEngineAppendSig(de_ctx, + "alert tcp any any -> any any (content:\"ABC\"; gid:\";)") != NULL) + goto end; + + result = 1; +end: + if (de_ctx != NULL) + DetectEngineCtxFree(de_ctx); + return result; +} #endif /* UNITTESTS */ /** @@ -170,5 +197,6 @@ void GidRegisterTests(void) #ifdef UNITTESTS UtRegisterTest("GidTestParse01", GidTestParse01, 1); UtRegisterTest("GidTestParse02", GidTestParse02, 1); + UtRegisterTest("GidTestParse03", GidTestParse03, 1); #endif /* UNITTESTS */ }